External risk intelligence

1C-Bitrix allows attackers to execute code and take over websites

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-67887

An internal attacker with translation privileges in 1C-Bitrix can run unauthorized commands on the server. This allows the attacker to take full control of the system and access sensitive company data.

3Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2025-67887

1C-Bitrix is a web-based CMS, typically deployed as an internet-facing service. This vulnerability requires an authenticated user with elevated translation privileges to exploit. Because the actionable attack surface is limited to existing users with specific roles, it is less exposed than a fully unauthenticated public endpoint, making the exploit path less likely to be reachable from the intern…

Horizon Alert

Summary of the vulnerability and why it matters

This issue in 1C-Bitrix affects the Translate Module, allowing a user with specific permissions to upload and execute code. This could let an attacker gain control of your website.

Allows code execution.
Requires elevated permissions.
Can impact website integrity.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading malicious PHP and `.htaccess` files to a 1C-Bitrix site. This would allow them to execute arbitrary code on the server, provided they have specific 'SOURCE/WRITE' permissions within the Translate Module. The supplier disputes this as a vulnerability, claiming it's intended behavior for high-privileged users.

Requires specific permissions.
Targets the Translate Module.
Uploads executable files.

Live Threat

Current exploitation, exposure, and threat context

The vendor disputes this vulnerability, stating it is intended behavior for users with high privileges to upload translated pages. This significantly limits the realistic attack surface to authenticated users with specific SOURCE/WRITE permissions on the Translate Module. While remote code execution is possible, its exploitation is constrained by these access requirements.

Limited to authenticated users.
Vendor claims intended behavior.
No public exploit or KEV signals.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize investigating and securing the 1C-Bitrix Translate Module, especially if it is accessible externally. The vendor disputes the vulnerability, claiming it's intended behavior for privileged users, but the CVSS score indicates a critical risk of remote code execution. Focus on identifying if any user with SOURCE/WRITE permissions for the Translate Module can upload malicious files and restrict these permissions if exploitation is confirmed.

Review Translate Module permissions.
Block suspicious file uploads.
Monitor for unauthorized code execution.

Frequently asked questions

What is 1C-Bitrix and what is its purpose in web development?

1C-Bitrix is a robust content management system (CMS) and a comprehensive ecosystem used for creating websites, online stores, and corporate portals. It offers integrated tools for content management, e-commerce functionalities, marketing automation, and analytics, making it a versatile platform for various business projects, particularly in Russia and CIS countries.

What is CVE-2025-67887 and what weakness class does it belong to?

CVE-2025-67887 is a critical vulnerability that allows for Remote Code Execution (RCE). It is associated with the weakness class CWE-94, which describes improper control of a generated code construct. This occurs when an application uses untrusted input to build code without adequately neutralizing special characters, enabling an attacker to inject and execute their own code.

How can an attacker exploit CVE-2025-67887 in 1C-Bitrix?

An attacker with SOURCE/WRITE permissions for the Translate Module in 1C-Bitrix can exploit this vulnerability. By uploading a malicious PHP file and a .htaccess file, they can achieve code execution on the server.

What is the relevance of CVE-2025-67887, considering the vendor's statement?

The vendor disputes CVE-2025-67887 as a vulnerability, asserting it is intended behavior for high-privileged users to upload new translated pages. This significantly limits the practical attack surface to authenticated users with specific SOURCE/WRITE permissions within the Translate Module, making widespread exploitation less likely despite the critical CVSS score.

What are the recommended steps to respond to CVE-2025-67887?

To address CVE-2025-67887, teams should audit and secure the 1C-Bitrix Translate Module, especially if accessible externally. It is advisable to review and restrict SOURCE/WRITE permissions for the Translate Module to mitigate the risk of unauthorized file uploads and subsequent code execution. Monitoring for any suspicious code execution is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.